Skip to main content

Invent ERP Security Statement

1. Security Statement 

Our extensive information security program is upheld and is based on standards & best practices. We at Invent are dedicated to preserving the security and privacy of the information we receive from our clients as a component of our commitment to upholding the highest standards of information and cyber security. To give you a satisfactory level of service, we just gather the bare minimum of personal data about you. This Privacy Policy indicates the type of processes that may result in data being collected about you. By using this website, you permit us to gather that data. Governing laws of the Kingdom of Bahrain will be followed and adhered to.

2. Confidentiality 

Client/Customer demographic information is strictly confidential and shall not be disclosed to any other third parties without written consent from the client/customer. The same is applied to information received by clients/customers from Invent. Shared details and information must be handled with the utmost confidentiality and trust by both parties.

3. Disclosing Information

We do not disclose any personal information obtained about you from this website to third parties except when we need to do so to complete the transaction. We might potentially utilize the data to stay in touch with you and update you on changes related to our company. You will have the option to unsubscribe from any email list or similar service. We will only share information gathered on this website with third parties with your knowledge and consent, should we ever wish to do so.

We might occasionally give generic information to outside parties, including the number of people who visit our website or fill out a registration form, but we won't use any data that could be used to identify those people.

4. Invent Cloud

4.1. Backup/Disaster Recovery 

Every Invent ERP database is fully backed up 3 times, which we retain for a minimum of three months.

Hardware Failover

Our team is committed to handling any incidents, breaches, or loss of data extremely seriously, as we have a dedicated procedure to follow in the event. Our team will inform you about any situations that concern you, along with any necessary steps you might need to take. We keep track of issues and take the necessary corrective measures to close them. When appropriate, we will locate, gather, obtain, and give you the necessary proof—in the form of application and audit logs—about incidents that pertain to you. In addition, we put controls in place to stop similar circumstances from happening again.

4.1.2. 5 Step Breach Measure 

The 5-step measure is a dedicated approach to handling incidents relating to data loss or breach. 

4.1.2.1. Gathering Information

Find out whether there has been a breach. It's time to ascertain the cause and severity of any breaches that may have happened.

  • Find out what has been compromised quickly.
  • Determine the weaknesses that led to the data leak.
  • Fix the problem to prevent a repeat occurrence.
Tips

To obtain your personal information, scammers frequently pretend that your accounts have been compromised.

  • Keep up with the most recent scams.
  • To avoid a data leak, teach your team to spot a scam.

4.1.2.2. Containment 


Stopping the data leak, getting rid of the hacker, patching the system, and preserving breach-proof are all necessary.

  • Prevent the breach from growing. 
  • Isolate the danger.
  • Turn off servers and computers.

4.1.2.3. Breach Notification

The General Data Protection Regulation (GDPR) requires that, as data controllers, we notify the relevant Data Protection Authority of a breach within 72 hours of becoming aware of it. When necessary, we also notify the consumers based on any specific requirements. As data processors, we promptly notify the relevant data controllers.
The fundamental guidelines are as follows:

  • Give pertinent information.
  • Justify the situation's occurrence.
  • Describe the steps being taken to fix the problem.
  • Invite discussion. Depending on the sort of breach, talk about the problem with your clients, analysts, the media, and the general public.
  • Teach the clients how to avoid a similar problem in the future.

4.1.2.4. Credentials Change Management

Change all passwords as soon as the system is secure and "locked down."

4.1.2.5. Increase and Monitor Security Levels

After the data breach has been fixed, adapt the security system to make it more resistant to assaults in the future. 

Tips

The best and least expensive approach is prevention. It is a cost-effective solution to guarantee that your company is protected from hackers, ransomware, and online threats because there are minimal upfront charges and a low monthly cost. The problem's origins could be internal or external, training your staff about internet hazards, and giving them advice on how to secure their accounts and passwords against intrusion are all actions you may take.

4.2. Database Security 

  • There is no data exchange between clients; all customer information is kept in a separate database.
  • Complete isolation across customer databases running on the same cluster is implemented by data access control rules, meaning that no data can be accessed from one database to another.

To guarantee that the database server's underlying OS software is constantly current, we use a managed database solution. Additionally, we demand that the database software be always the most recent version that is compatible. We need all external libraries used in the application-level software to be maintained. Relying on any library that isn't being maintained should be stopped right away. For fields that are considered sensitive, the solution supports and makes use of both file system-level encryption and field-level encryption. 

4.3. Password Security

  • Credentials for logins are always sent securely via HTTPS.
  • Password policies: A minimum password length is enforced for users along with mixed cases. The platform will limit failed login attempts.
  • Passwords: Follows the OWASP password guidelines standard.

4.4. Staff Access

Employees from the Invent helpdesk may log into your account to view settings pertaining to your support issue. Rather than using your password—which they have no way of knowing—they utilize their unique staff credentials for this.

With this unique staff access, efficiency, and security are increased because we can audit and regulate staff actions independently, they can quickly replicate the issue you are experiencing, and you never have to reveal your password.

Our helpdesk team works hard to protect your privacy, accessing files and settings only as necessary to identify and fix problems.

4.5. System Security 

We are employing AWS cloud solutions for the infrastructure. To ensure the security of our infrastructure, we adhere to AWS best practices and guidelines, the cloud securities provided by AWS as well as the following are being utilized:

  1. AWS WAF.
  2. AWS Route 53 Resolver DNS Firewall.
  3. Amazon GuardDuty.
  4. AWS CloudTrail.

All host-level logs are forwarded to AWS CloudWatch. Application-level logs are stored in the per-tenant database. For service-level, we use managed services (AWS GuardDuty & AWS CloudWatch) to generate real-time security

Users, third parties, and partners (if any) are not permitted access to any of the servers or instances that AWS has safeguarded.

4.6. Physical Security 

AWS servers meet the physical security requirements and are housed in reliable data centers across the globe, they maintain and manage the physical security.

4.7. Credit Card Saftey

Credit card information is never kept on our internal systems. Your credit card information is always transmitted securely between you and our Approved PCI-compliant payment acquirers.

4.8. Data Encryption

Encryption (both in transit and at rest) is always used to transfer and store customer data.

  • Data in Rest Is encrypted using disk encryption and database-level encryption for sensitive data. Utilizing HMAC ciphers with AES-256-GCM and AES-256-CBC.
  • Data in Transit Is encrypted using Transport Layer Security (TLS) is a cryptographic protocol, only deemed secure TLS cipher suites are supported.
  • Cryptographic keys are managed using Amazon Web Services (AWS) Key Management Service (KMS).
  • SSL: All web connections to the client’s instances are secured by Grade A SSL/TLS stack with at least 128-bit AES encryption and a 2048-bit RSA certificate. Our entire chain of certifications currently uses SHA-256.

4.9. Network Defense

HTTPS is enforced for incoming requests. Incoming requests must also pass WAF and Network Firewall before they reach the application tier.

Every data center provider that Invent works with has extremely vast networks and has built its architecture to be resistant to even the most powerful Distributed Denial of Service (DDoS) assaults. At the perimeter of their transcontinental networks, their automated and manual mitigation systems can identify and reroute attack traffic before it has an opportunity to compromise service availability.

On Invent’s Cloud servers, intrusion prevention systems and firewalls assist in identifying and thwarting security risks like brute-force password attacks.

The rate limitation and cooling period for multiple login attempts can also be customized by customer database administrators.

The systems, servers, and networking devices are kept up-to-date, at the latest patches.

5. Invent ERP

5.1. Software Security 

The Invent ERP codebase is regularly inspected by global contributors and outside organizations.  Thus, one valuable source of security-related input is bug reports. Users can also report bugs through the ticketing system (See Terms & Conditions for more).

Code review procedures for newly created and submitted code are part of the Invent Research and Development processes. These procedures cover security considerations.

The security team adheres to NIST CSF to guarantee that best practices are applied at every stage of the application life-cycle. Since all parties follow the same framework and procedures, it increases communication efficiency by lowering communication overhead, particularly when a vital action is needed.

5.1.1. User Roles

Every account abides by the least privilege concept. AWS IAM roles are used to manage service accounts. Our internal system handles user account management and user-based access restrictions. Policies for access vary by action and resource. The privileges assigned to each account are reviewed by routine auditing. 

5.2. Secure by Design

We follow our practices for security and measurement. Certain security-related duties are occasionally outsourced when appropriate. Because of the way Invent is built, the majority of common security flaws cannot be introduced.

  • By using a higher-level API that does not require manual SQL queries, SQL injections can be avoided.
  • A sophisticated templating technique that automatically escapes injected data is used to thwart XSS assaults.

5.3. Independent Security Audits

Independent businesses conduct audits and penetration checks on Invent regularly. After reviewing the findings, the Invent ERP Team implements the necessary corrective actions as needed. Additionally, Invent boasts a vibrant community of independent security researchers who collaborate with us to enhance and fortify Invent's security while also regularly monitoring the source code.

The three levels or divisions are called Production, Staging, and Development. Strict release management and authorized workflows and authorization levels adhere to preserve related security and configuration guidelines for software testing before deployment in production settings.

5.4. Authentication

We are committed to protecting your data, from ensuring that only you can access your ERP Account to stopping potentially harmful activity in its tracks.

Authorization and authentication are both necessary for data access. Strict access controls are used to protect data while it is in use. Per resource, per user, policies are applied.

For the vendor's access controls, we have both application-level and service-level logging in place to monitor access, limit access to information from both internal and external sources, and uniquely identify users so that access attempts can be tracked and examined. Pre-authentication is required for any access at the application level. Strict access regulations apply to each resource, per user, and resource. While in use, in transit, and at rest, data is safeguarded.

  • Users may enable 2-factor Authentication from their profile.
  • The system has password controls that allow it to automatically end sessions after a predetermined amount of time. By default, the session ends after two hours of inactivity.
  • Passwords follow the guidelines of best practices by OWASP.
  • The only thing you can do if you lose your password is reset it; Invent staff does not have access to it and cannot get it for you.
  • Password policies: A minimum password length is enforced for users along with mixed cases. The platform will limit failed login attempts.

5.5. Audit and Accountability  

The system offers management features that enable it to automatically record all user actions and events, including the creation, updating, and deletion of records. Moreover, the application sets and updates the "Access Log fields" automatically. Timestamps, the user or service's identity, and a thorough error report are all included in the log to aid in post-mortem error investigations.

The cloud provider stores service-level audit logs in a managed service. Application-level audit logs are kept in the managed logging service provided by the cloud provider to guard against log manipulation, while the host-level log is sent to Amazon CloudWatch

Reporting Security Vulnerabilities

You can open a ticket with the helpdesk associates to report a security issue. These reports are given top attention; the Invent security team promptly investigates and resolves the issue in conjunction with the reporter, and the information is subsequently responsibly shared with Invent users and customers